top of page
Writer's pictureTony Fortunato

Getting Started With Microsoft's pktmon

I was bummed when I learned that Microsoft wasn’t developing Microsoft Message Analyzer as of Nov 2019.


I am excited that Microsoft is providing a native packet capture tool. I have already covered how to use netsh trace (https://www.networkcomputing.com/networking/capturing-packets-natively-microsoft-windows) but I’m hoping that pktmon will be even better.

This all started when I read the following articles:


So I thought an intro or quickstart video would be helpful to those of you who are curious about Pktmon.


Here's a bunch of summary notes

· elevated command prompt required for pktmon

· change dir to your desktop cd %userprofile%\desktop

· mkdir a test folder pktmon md pktmon

· check out your adapter details pktmon comp list or pktmon comp list –i to see all adapters and note your adapter id mine is 9

pktmon start options

-c to select a specific adapter or component using the id value provided in the pktmon comp list output. default is all adapters/components

--etw start a capture session

-p packet size. default is 128 bytes and a value of 0 is the full size frame

-f is the etl file name. default is pktmon.etl

-s maximum file size. default is 512 mb i don’t think this works

default –l or log-mode is circular where new events overwrite the oldest ones

the command I used to convert etl to pcang is pktmon pcapng PktMon.etl

Let me know if you find this helpful and I will proceed with more options, testing, etc.. For example my next article would cover filtering, then the various log/file options



1,502 views

Recent Posts

See All
bottom of page